Yearbook 2024

Figures
Risk Management
Challenge accepted
Entrepreneurship and taking risks go hand in hand. Because risks need to be taken in order to grow. And as an organization grows, so does the number of risks, their scope, and their impact. For this reason, we continuously optimize our risk management.

Risks & opportunities

We balance risks and their impact with the opportunities and advantages they offer. This allows us to maximize the benefits of a risk while minimizing the consequences.

Risk culture

Risks can occur anywhere in the organization. So it is important that every Coolbluer is aware of risks and can identify them. This is why every Coolbluer is responsible for managing their own risks. They are supported in this by our Risk & Internal Control, Tax, Safety, Security & Fraud, Tech Security, Finance, and Legal departments. The ultimate responsibility for risks is borne by the Management Board. This approach allows us to create a culture in which risk management stays top of mind throughout the organization and in which risks are managed when and where they occur through detection, prevention.

Internal guidelines

To provide Coolbluers with the means to decide how to go about a risk, we have various internal policies in place, which are in part based on external regulation. These policies are written in an honest, direct, and open manner and are easily available to every Coolbluer in multiple languages. We periodically review these policies to ensure they continue to meet legislative demands. Examples of our internal guidelines are:

  • The Workguide (the employee guidebook);
  • The Friend Code (our code of conduct);
  • How can Coolblue help me with undesirable situations? (our whistleblower policy);
  • What happens if I cheat? (our anti-fraud policy); and
  • What if I don’t stick to the Coolblue agreements? (our disciplinary policy).

Increasing awareness

We make an effort to maintain a consistently high level of risk awareness. We actively involve Coolbluers in our risk management processes. As a result, we gain a current and accurate view of what is at play in the organization and we can manage our risks effectively. To further support Coolbluers in this, we offer e-learning modules and training courses that address topics such as information security, the GDPR, labor law, competition law, tax law, and integrity. In 2024, we implemented a mandatory cybersecurity awareness training course for all our office colleagues.

Risk profile summary

We identified the risks that could impact the realization of our strategic goals and profiled them accordingly.

Risk identification & assessment

Our risk management focuses on 4 categories: strategic risks, operational risks, finance & reporting risks, and compliance risks. To create a risk profile for each risk, we have conducted various top-down and bottom-up risk assessments. We then prioritized the most relevant risks in yearly Strategic Risk Assessment with managers and the Management Board. These results have been discussed with both the Audit Committee and the Supervisory Board.

In 2024, we identified and profiled 11 risks, the same amount as we had in 2023. We have rated these risks on a 5-point scale, based on their likelihood, impact, and our risk appetite. These ratings vary slightly compared to 2023.

Likelihood

Likelihood is the first scale on which we rate a risk. It defines the probability that a risk will occur within 2 years.

Impact

Impact forms the second scale on which we rate a risk. Here, we assess to what extent a risk would negatively affect the achievement of our goals, promises, and ambitions.

Risk appetite

The third and final scale, risk appetite, defines our willingness to run or take a risk. The lower our appetite for a risk, the stricter our measures have to be to manage it. On the other hand, we sometimes need to adopt a higher risk appetite to achieve our strategic goals.

Strategic risks

1. Reputation

Coolblue has a strong reputation. We want to uphold this reputation and prevent any damage to it, as this could negatively influence our business. At the same time, we have a desire to grow. We want to expand our business internationally and for example through exclusive brands. This means we constantly look for a balance between our growth plans and the risk exposure they entail. Because of the growth we realized in Germany in 2024, we have identified an increase in the likelihood of this risk compared to 2023.

2. Competition

We operate in markets that are highly competitive and dynamic in size. And we see that for a number of product types, the market size changes. To solidify our overall position in our existing markets and ensure we keep growing, we continue to invest in our leading customer journeys. They are geared towards product types, customer needs, and needs specific to the countries we operate in. This approach also works in markets we newly enter, allowing us to compete with established competitors.

We see that our (digital) playing field is changing rapidly due to the introduction of new disruptive technologies such as AI. For Coolblue, this implies challenges, but it also creates possibilities and new ways of working, which will enable us to keep going the extra smile for our customers.

3. Economic conditions

Because Coolblue operates in a variety of markets, we are subject to various circumstances on national and international scales. Some of these circumstances also directly affect our customers, who adjust their spending choices accordingly. Over 2024, we saw a stabilization in inflation and an increase in consumer confidence. This has resulted in an unchanged assessment of this risk compared to 2023.

Operational risks

4. Information security & data privacy

Ensuring the safety of our data and technology is vital to Coolblue. As a result of our growth and automation strategy, we rely more strongly on information systems. This makes the potential impact of this risk larger. We minimize its likelihood by constantly improving our cyber and information security controls, for example by performing Data Protection Impact Assessments when and where needed. Additionally, we do everything in our power to secure our (customer) data, prevent hacks and data leaks, and minimize the impact an incident may have. We have begun applying a data centralization strategy that will allow us to further optimize our data governance. We continuously improve our (cyber) resilience by implementing and optimizing our detection and response controls and processes. And for each of the AI developments within Coolblue, our Privacy Officer is involved to ensure we fully comply with all relevant privacy legislation.

5. Availability of systems & critical processes

We constantly apply optimizations in our operations, such as mechanization in our warehouse. As a result, our dependency on technology increases. The impact of disruptions also increases, for instance in our automated picking process. To minimize the chance of this happening, we review our critical operations, dependencies on suppliers, and continuity and fallback procedures. For each, we identify our critical operations and risks. This allows us to minimize the odds of a disruption and the downtime that would follow. At the same time, we optimize how quickly we can restore our operations.

6. Stock management

Stock management risks come in 2 categories: excess stock and insufficient stock. To minimize both, we use algorithms that calculate the expected sales patterns every day, which we align our purchasing activities to. This way, we can order the optimal number of products at all times and closely monitor our stock health. With our increased efforts in exclusive brand products, this became even more important in 2024. Simultaneously, we have enhanced the algorithms and forecasts on stock levels to further decrease risks of future excess and insufficient stock.

7. Supply chain continuity

Our business depends on 2 factors: the availability of products and their components, and our ability to deliver them to our customers. We make an effort to safeguard continuity of both. By working very closely with our suppliers, we guarantee a constant supply and use our strong financial structure to realize this. We want to mitigate the risk of varying availability due to international influences. We do so by ensuring that we live up to our delivery promise through our own delivery propositions and by closely collaborating with our delivery partners. As a result, we see no significant change in this risk compared to our assessment in 2023.

8. Attract and retain qualified Coolbluers

Qualified and talented people are key to our success. That is why we are always happy to welcome new Coolbluers and help them build their career within Coolblue. At the same time, the competition for skilled personnel remains high. We offer Coolbluers careers rather than jobs, in which we help them continuously refine their skillset. For example, we offer them various training courses at our in-house training facilities. This way, we actively help them build their career within Coolblue.

We continue to strive for operational excellence and understand how Coolbluers and mechanization complement each other in this. This enables us to focus human attention there where it is of added value. As a result, we see no significant change in the assessment of this risk.

9. Health, safety, and environment

The health and safety of our Coolbluers is of the highest importance to us. To safeguard both, we have procedures in place that outline in detail how to act in certain situations. As we continue to diversify in the products and services we offer, we also place strong emphasis on the safety of the Coolbluers who carry out the physical component of these new propositions. We actively provide training courses with best safety practices, ensuring our Coolbluers can safely and securely perform their tasks.

Finance & reporting risk

10. Finance and liquidity

Our operations are financed by our operating cash flow, a negative working capital, and reinvestment of our profits. Thanks to our underlying debtor management, stock management, and treasury processes, we are always able to meet our payment obligations. We consistently monitor our exposure and liquidity to minimize the risk and have sufficient cash and credit lines available. Operating in the energy supply business includes related sourcing risks, collateral risks, and credit risks on suppliers. We manage these risks through strong monitoring and scenario planning, and they are further mitigated by our strong cash position.

Refinancing in 2024 and the additional shareholder loan, has further improved our cash position. As a result, the likelihood of financial and liquidity risks actually occurring has decreased.

Compliance risk

11. Regulatory compliance

We continue to grow and expand in other countries and markets, such as Germany and the Dutch energy market. Additionally, we continue to develop our exclusive brands. As a result, there is an increasing amount of existing legislation we need to adhere to. At the same time, we want to ensure our full compliance with all future governing legislation, such as the NIS2, European AI Act, and CSRD.

We have a zero-tolerance approach to bribery, corruption, fraud, and any other form of (illegal) misconduct. This is strongly highlighted in our code of conduct and other guidelines. We also offer mandatory training courses that are geared to the relevant legislation within departments. This further ensures our consistent compliance.

Enhancement of our risk management system

We appointed Risk Coordinators in 2023 and fully placed risk ownership and accountability with them in 2024, allowing the risk department to assume a monitoring and advisory role. Together with the Domain Bosses, the Coordinators have mapped key processes, the associated risks, and internal control measures. These were combined into an integrated risk overview, which enables monitoring of these risks and insight development. In addition, we have continued to develop key metrics to further increase monitoring possibilities.

Cybersecurity

We have further reinforced organization-wide security awareness. We made cybersecurity training mandatory for all laptop users and implemented a training course specifically aimed at cybersecurity in Operational technology. We continued to roll out vulnerability scanning across both IT and OT systems. We centrally monitor and analyze the resulting data to identify trends. Additionally, we have planned an in-house incident response exercise for executives with external experts to further improve response capabilities and resilience. We continued to improve monitoring, response, and reporting of cyber threats and enhanced board reporting on cybersecurity risks, controls, and metrics.

Fraud Detection and Prevention

To further prevent fraud throughout our organization in 2024, we improved dashboarding, monitoring, and flagging. For example, we enhanced our smart detection model through analyzing trends. At domain level, we implemented processes to map irregularities and minimize their impact. And our Fraud & Loss Prevention Experts are now supported with extra enhanced tools, such as advanced camera systems, automatic photos of order content, and product weight recognition.

Safeguarding privacy

We have an unceasing focus on the protection of data, both our own and our customers’. To ensure that this remains top of mind for each and every Coolbluer, we will continue to further develop existing educational courses and roll out training courses that are tailored to our specific domains. In addition, we will continue to monitor existing processes to identify potential improvements to further ensure the safety of information we store. Lastly, we keep a close eye on, among other things, changing legislation to ensure our compliance.

Looking ahead

We are pleased with the steps we took in 2024 to improve our risk management and internal control framework. With the creation of risk registers per domain, we laid the foundation to further enhance our integrated risk framework in 2025. Upon completion, we will be able to adopt a broader end-to-end focus on processes. Not only will this provide us with more control over these processes, but we will also have increased insight into handover moments. Moreover, we will continue to strengthen internal control, broaden our risk assessment activities in terms of IT, and enhance our cybersecurity posture.

Lastly, we will map out what our focus on further mechanization will entail, thereby also focusing on future availability and continuity of systems and processes.

Previous chapter
Next chapter
COOKIES
Grab a byte
We use cookies and similar techniques so we can help you better and in a more personal way. In addition to functional cookies, which make the website work well, we place analytical cookies to make our website a little bit better every day. We also place personal cookies so that we, and third parties, can track your internet behavior and show personal content. Want to know more? Read all about our cookie policy here. If you want to use our website in its full glory, you need to accept our cookies. If you choose to decline, we only place functional and analytical cookies.
Accept
200616_Cookies_Jos-4_LU6oLpo.original.png